Android users targeted in drive-by download attacks

Sites are targeting Android users with malware that can access private networks.

Almost a dozen sites are actively targeting Android users with malware that could gain access to corporate networks and other protected systems, security researchers said. They note it's the first time compromised sites have been used to infect users of a mobile handset.

The malware, dubbed NotCompatible, is being transmitted by websites when they're accessed on smartphones running Google's Android operating system. This is according to a blog post published Tuesday by researchers from Android antivirus provider Lookout. An iframe tag included in the sites provides a link to malicious software that's automatically downloaded after the site is visited. The sites then provide notifications prompting end users to install the downloaded app. Installation is possible only on phones that have been configured to run apps acquired from sources other than the Google Play market.

"Hacked websites are frequently used to infect PCs with malware," Lookout researchers wrote in Wednesday's post. "However, today we have identified the first time hacked websites are being used to specifically target mobile devices." The company's security app automatically blocks installation of the software.

Google has long admonished users to download apps only from its official Play market. Most, but by no means all, malicious titles targeting Android are distributed through third-party channels. Lookout's discovery of sites that actively foist malicious installation apps only reinforces this advice. The security firm's claim that Android phones automatically download apps with no user prompting couldn't be immediately confirmed. If true, it's troubling behavior, even if users must change default settings to be able to install the programs.

Visiting the websites on non-Android devices returns an error message that prevents any malicious activity from taking place, Lookout said. But when a browser advertises it's running on an Android device, an HTML script automatically pushes the malicious software through a series of domains including gaoanalitics.info and androidonlinefix.info. A command and control server is hosted at notcompatibleapp.eu. About 10 websites compromised to include the malicious iframe have been identified, a Lookout spokeswoman said.

"Based on our current research, NotCompatible is a new Android trojan that appears to serve as a simple TCP relay/proxy while posing as a system update," the advisory stated. "This threat does not currently appear to cause any direct harm to a target device, but could potentially be used to gain illicit access to private networks by turning an infected Android device into a proxy."

Headline updated to make clear these aren't necessarily the first drive-by download attacks to target Android users. Lookout says they are the first time compromised sites have been used to target the OS.